2021-05-29 18:05:31 +02:00
|
|
|
{ config, pkgs, lib, ... }: {
|
|
|
|
imports = [
|
2022-10-04 10:39:49 +02:00
|
|
|
./fractal.nix
|
|
|
|
../../roles/server.nix
|
|
|
|
../../roles/homeserver.nix
|
2023-07-05 14:50:43 +02:00
|
|
|
./paperless.nix
|
2023-09-23 16:36:53 +02:00
|
|
|
./media.nix
|
|
|
|
./home-automation.nix
|
2024-02-17 15:14:16 +01:00
|
|
|
./cache.nix
|
2018-03-11 18:28:25 +01:00
|
|
|
];
|
2016-01-28 02:59:31 +01:00
|
|
|
|
|
|
|
system.stateVersion = "15.09";
|
2020-05-21 17:39:38 +02:00
|
|
|
networking.hostId = "0702dbe9";
|
2022-07-08 14:05:06 +02:00
|
|
|
nixpkgs.overlays = [ (self: super: {
|
|
|
|
openjdk8-bootstrap = super.openjdk8-bootstrap.override {
|
|
|
|
gtkSupport = false;
|
|
|
|
};
|
|
|
|
}) ];
|
2016-01-28 02:59:31 +01:00
|
|
|
|
2023-09-23 16:15:41 +02:00
|
|
|
security.y-selfsigned.enable = true;
|
2023-02-22 12:51:08 +01:00
|
|
|
|
2024-01-01 16:44:54 +01:00
|
|
|
services.nginx = let
|
|
|
|
sslForward = proxyPass: extra: lib.mkMerge [ {
|
2022-09-14 14:35:06 +02:00
|
|
|
onlySSL = true;
|
2023-09-23 16:02:44 +02:00
|
|
|
useACMEHost = "wildcard.yori.cc";
|
2022-09-14 14:35:06 +02:00
|
|
|
locations."/" = {
|
2024-01-01 16:44:54 +01:00
|
|
|
inherit proxyPass;
|
2022-09-14 14:35:06 +02:00
|
|
|
proxyWebsockets = true;
|
2024-01-01 16:44:54 +01:00
|
|
|
};
|
|
|
|
} extra ];
|
|
|
|
in {
|
|
|
|
enable = true;
|
|
|
|
virtualHosts = {
|
|
|
|
"unifi.yori.cc" = sslForward "https://[::1]:8443" {
|
|
|
|
locations."/".extraConfig = ''
|
2022-09-14 14:35:06 +02:00
|
|
|
proxy_ssl_verify off;
|
|
|
|
proxy_ssl_session_reuse on;
|
|
|
|
'';
|
|
|
|
};
|
2024-01-01 16:44:54 +01:00
|
|
|
"grafana.yori.cc" = sslForward "http://127.0.0.1:3000" {};
|
|
|
|
"prometheus.yori.cc" = sslForward "http://127.0.0.1:9090" {
|
|
|
|
# only over VPN
|
|
|
|
listen = [ { addr = "10.209.0.3"; port = 443; ssl = true; } ];
|
2023-09-24 11:50:24 +02:00
|
|
|
};
|
2024-01-01 16:44:54 +01:00
|
|
|
"plex.yori.cc" = sslForward "http://127.0.0.1:32400" {
|
|
|
|
extraConfig = ''
|
|
|
|
gzip on;
|
|
|
|
gzip_vary on;
|
|
|
|
gzip_min_length 1000;
|
|
|
|
gzip_proxied any;
|
|
|
|
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_buffering off;
|
|
|
|
'';
|
2023-10-30 10:32:26 +01:00
|
|
|
};
|
2024-01-01 16:44:54 +01:00
|
|
|
"fooocus.yori.cc" = sslForward "http://192.168.2.135:7860" {};
|
|
|
|
"priv.yori.cc" = let
|
|
|
|
oauth2Block = ''
|
|
|
|
auth_request /oauth2/auth;
|
|
|
|
error_page 401 = /oauth2/sign_in;
|
|
|
|
|
|
|
|
# pass information via X-User and X-Email headers to backend,
|
|
|
|
# requires running with --set-xauthrequest flag
|
|
|
|
auth_request_set $user $upstream_http_x_auth_request_user;
|
|
|
|
auth_request_set $email $upstream_http_x_auth_request_email;
|
|
|
|
proxy_set_header X-User $user;
|
|
|
|
proxy_set_header X-Email $email;
|
|
|
|
|
|
|
|
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
|
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
|
|
add_header Set-Cookie $auth_cookie;
|
|
|
|
'';
|
|
|
|
proxyOauth2 = proxyPass: {
|
|
|
|
inherit proxyPass;
|
|
|
|
extraConfig = oauth2Block;
|
|
|
|
};
|
|
|
|
in {
|
|
|
|
onlySSL = true;
|
|
|
|
useACMEHost = "wildcard.yori.cc";
|
|
|
|
# TODO remove dashy
|
|
|
|
locations."/".proxyPass = "http://127.0.0.1:4000";
|
|
|
|
locations."/sonarr" = proxyOauth2 "http://127.0.0.1:8989";
|
|
|
|
locations."/radarr" = proxyOauth2 "http://127.0.0.1:7878";
|
|
|
|
locations."/marvin-tracker/" = {
|
|
|
|
proxyPass = "http://[::1]:4001/";
|
|
|
|
# handles auth using arg
|
|
|
|
};
|
|
|
|
locations."/paperless/" = proxyOauth2 "http://127.0.0.1:${toString config.services.paperless.port}/";
|
|
|
|
locations."/media/" = {
|
|
|
|
root = "/var/mediashare";
|
|
|
|
};
|
2023-09-30 19:50:04 +02:00
|
|
|
};
|
2024-01-01 16:44:54 +01:00
|
|
|
"frumar.yori.cc" = {
|
|
|
|
enableACME = lib.mkForce false;
|
|
|
|
inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
|
2023-11-14 21:57:30 +01:00
|
|
|
};
|
|
|
|
};
|
2022-09-14 14:35:06 +02:00
|
|
|
};
|
2023-09-30 19:50:04 +02:00
|
|
|
systemd.services.nginx.serviceConfig.BindReadOnlyPaths = [ "/data/plexmedia/ca" "/var/mediashare" ];
|
2020-05-21 17:39:38 +02:00
|
|
|
boot.supportedFilesystems = [ "zfs" ];
|
2022-07-08 14:05:06 +02:00
|
|
|
services.iperf3 = {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
};
|
|
|
|
services.unifi = {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
jrePackage = pkgs.jre8_headless;
|
2022-12-19 15:56:40 +01:00
|
|
|
unifiPackage = pkgs.unifiStable;
|
2022-07-08 14:05:06 +02:00
|
|
|
};
|
2020-05-21 17:39:38 +02:00
|
|
|
services.victoriametrics = {
|
|
|
|
enable = true;
|
|
|
|
retentionPeriod = 12;
|
|
|
|
};
|
|
|
|
services.prometheus = {
|
|
|
|
enable = true;
|
2021-05-29 18:05:31 +02:00
|
|
|
extraFlags = [ "--web.enable-admin-api" ];
|
2020-05-21 17:39:38 +02:00
|
|
|
# victoriametrics
|
2021-05-29 18:05:31 +02:00
|
|
|
remoteWrite = [{ url = "http://127.0.0.1:8428/api/v1/write"; }];
|
2023-09-24 11:50:24 +02:00
|
|
|
scrapeConfigs = [{
|
|
|
|
job_name = "node";
|
|
|
|
static_configs = [{ targets = [ "localhost:9100" ]; }];
|
|
|
|
}];
|
2020-05-21 17:39:38 +02:00
|
|
|
exporters.node.enable = true;
|
|
|
|
};
|
2023-07-05 14:50:43 +02:00
|
|
|
services.yorick.paperless = {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
scanner_ip = "192.168.2.49";
|
|
|
|
};
|
2021-01-03 16:40:27 +01:00
|
|
|
boot.zfs.requestEncryptionCredentials = false;
|
2023-07-05 14:50:43 +02:00
|
|
|
networking.firewall = {
|
2023-09-24 11:50:24 +02:00
|
|
|
interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ]; # grafana and prometheus via pennyworth
|
2024-01-02 11:42:04 +01:00
|
|
|
# mqtt, nats
|
|
|
|
allowedTCPPorts = [ 1883 4222 ];
|
2023-09-24 11:50:24 +02:00
|
|
|
# mqtt
|
|
|
|
allowedUDPPorts = [ 1883 ];
|
2023-07-05 14:50:43 +02:00
|
|
|
};
|
2020-05-21 17:39:38 +02:00
|
|
|
services.grafana = {
|
|
|
|
enable = true;
|
2022-11-19 17:55:30 +01:00
|
|
|
settings = {
|
|
|
|
server.http_addr = "0.0.0.0";
|
|
|
|
server.domain = "grafana.yori.cc";
|
2023-09-23 16:36:53 +02:00
|
|
|
server.root_url = "https://grafana.yori.cc/";
|
2022-11-19 17:55:30 +01:00
|
|
|
"auth.basic".enabled = false;
|
|
|
|
"auth.google" = {
|
|
|
|
enabled = true;
|
|
|
|
allow_sign_up = false;
|
|
|
|
};
|
|
|
|
auth.disable_login_form = true;
|
2021-01-03 18:59:55 +01:00
|
|
|
};
|
2018-03-11 18:28:25 +01:00
|
|
|
};
|
2022-09-14 14:35:06 +02:00
|
|
|
age.secrets = {
|
2023-09-23 16:02:44 +02:00
|
|
|
acme-transip-key = {
|
2022-10-04 10:39:49 +02:00
|
|
|
file = ../../../secrets/transip-key.age;
|
2022-09-14 14:35:06 +02:00
|
|
|
mode = "770";
|
2023-09-23 16:02:44 +02:00
|
|
|
group = "acme";
|
2022-09-14 14:35:06 +02:00
|
|
|
};
|
2023-09-24 11:50:24 +02:00
|
|
|
frumar-mail-pass.file = ../../../secrets/frumar-mail-pass.age;
|
|
|
|
grafana.file = ../../../secrets/grafana.env.age;
|
|
|
|
oauth2-proxy.file = ../../../secrets/oauth2-proxy.age;
|
2024-01-02 11:42:04 +01:00
|
|
|
zigbee2mqtt.file = ../../../secrets/zigbee2mqtt.env.age;
|
2024-01-02 12:07:34 +01:00
|
|
|
marvin-tracker.file = ../../../secrets/marvin-tracker.env.age;
|
2022-09-14 14:35:06 +02:00
|
|
|
};
|
2022-05-18 15:57:58 +02:00
|
|
|
systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
|
2024-01-02 11:42:04 +01:00
|
|
|
systemd.services.zigbee2mqtt.serviceConfig.EnvironmentFile = config.age.secrets.zigbee2mqtt.path;
|
2023-09-23 16:36:53 +02:00
|
|
|
services.zfs.autoScrub = {
|
2022-07-06 09:25:49 +02:00
|
|
|
enable = true;
|
2023-09-23 16:36:53 +02:00
|
|
|
interval = "*-*-01 02:00:00"; # monthly + 2 hours
|
2022-07-06 09:25:49 +02:00
|
|
|
};
|
|
|
|
services.znapzend = {
|
|
|
|
enable = true;
|
|
|
|
pure = true;
|
|
|
|
features = {
|
|
|
|
zfsGetType = true;
|
|
|
|
sendRaw = true;
|
|
|
|
};
|
|
|
|
zetup = {
|
2023-04-11 15:39:27 +02:00
|
|
|
"frumar-new" = {
|
|
|
|
plan = "1w=>6h,1m=>1w,1y=>1m,2y=>6m,50y=>1y";
|
|
|
|
};
|
2022-07-06 09:25:49 +02:00
|
|
|
"frumar-new/plexmedia" = {
|
|
|
|
plan = "1w=>6h,1m=>1w,1y=>1m,2y=>6m,50y=>1y";
|
|
|
|
};
|
2023-07-22 12:28:33 +02:00
|
|
|
"ssdpool/root" = {
|
|
|
|
plan = "2d=>1d";
|
|
|
|
};
|
|
|
|
"ssdpool/root/var" = {
|
|
|
|
plan = "1w=>1d";
|
|
|
|
destinations.frumar-new = {
|
|
|
|
dataset = "frumar-new/backup/ssdpool-root-var";
|
|
|
|
plan = "1w=>1d,1m=>1w,1y=>1m,10y=>6m,50y=>1y";
|
|
|
|
};
|
|
|
|
};
|
2022-07-06 09:25:49 +02:00
|
|
|
};
|
|
|
|
};
|
2021-06-07 09:00:31 +02:00
|
|
|
users.users.yorick.packages = with pkgs; [
|
|
|
|
borgbackup
|
|
|
|
bup
|
|
|
|
fzf
|
|
|
|
git-annex
|
|
|
|
magic-wormhole
|
2021-10-18 14:42:53 +02:00
|
|
|
python3
|
2021-06-07 09:00:31 +02:00
|
|
|
ranger
|
2023-01-18 21:30:31 +01:00
|
|
|
jq
|
|
|
|
unzip
|
2021-06-07 09:00:31 +02:00
|
|
|
];
|
2023-09-23 16:02:44 +02:00
|
|
|
security.acme.certs."wildcard.yori.cc" = {
|
|
|
|
domain = "*.yori.cc";
|
|
|
|
dnsProvider = "transip";
|
|
|
|
reloadServices = [ "nginx.service" ];
|
2022-09-14 14:35:06 +02:00
|
|
|
};
|
2023-09-23 16:02:44 +02:00
|
|
|
users.users.nginx.extraGroups = [ "acme" ];
|
|
|
|
systemd.services."acme-wildcard.yori.cc".environment = {
|
|
|
|
TRANSIP_ACCOUNT_NAME = "yorickvp";
|
|
|
|
TRANSIP_PRIVATE_KEY_PATH = config.age.secrets.acme-transip-key.path;
|
2022-09-14 14:35:06 +02:00
|
|
|
};
|
2023-07-22 12:28:50 +02:00
|
|
|
programs.msmtp = {
|
|
|
|
enable = true;
|
|
|
|
accounts.default = {
|
|
|
|
auth = true;
|
|
|
|
tls = true;
|
|
|
|
from = "frumar@yori.cc";
|
|
|
|
host = "pennyworth.yori.cc";
|
|
|
|
user = "frumar@yori.cc";
|
2023-07-22 12:46:47 +02:00
|
|
|
passwordeval = "${pkgs.coreutils}/bin/cat ${config.age.secrets.frumar-mail-pass.path}";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
services.smartd = {
|
|
|
|
enable = true;
|
|
|
|
notifications.mail = {
|
|
|
|
enable = true;
|
|
|
|
sender = "frumar@yori.cc";
|
|
|
|
recipient = "yorickvanpelt@gmail.com";
|
2023-07-22 12:28:50 +02:00
|
|
|
};
|
|
|
|
};
|
2023-07-22 13:10:55 +02:00
|
|
|
services.zfs.zed.settings = {
|
|
|
|
ZED_EMAIL_ADDR = [ "yorickvanpelt@gmail.com" ];
|
|
|
|
ZED_EMAIL_PROG = "/run/wrappers/bin/sendmail";
|
|
|
|
ZED_EMAIL_OPTS = "@ADDRESS@";
|
|
|
|
ZED_NOTIFY_INTERVAL_SECS = 3600;
|
|
|
|
ZED_NOTIFY_VERBOSE = true;
|
|
|
|
ZED_SCRUB_AFTER_RESILVER = true;
|
|
|
|
};
|
2023-09-24 11:50:24 +02:00
|
|
|
services.oauth2_proxy = {
|
|
|
|
enable = true;
|
|
|
|
email.addresses = "yorickvanpelt@gmail.com";
|
|
|
|
redirectURL = "https://priv.yori.cc/oauth2/callback";
|
|
|
|
reverseProxy = true;
|
|
|
|
keyFile = config.age.secrets.oauth2-proxy.path;
|
|
|
|
setXauthrequest = true;
|
|
|
|
nginx.virtualHosts = [ "priv.yori.cc" ];
|
|
|
|
extraConfig.whitelist-domain = ["priv.yori.cc"];
|
|
|
|
};
|
2024-01-02 11:42:04 +01:00
|
|
|
services.nats = {
|
|
|
|
enable = true;
|
|
|
|
jetstream = true;
|
|
|
|
settings = {
|
|
|
|
mqtt.port = 1883;
|
|
|
|
system_account = "SYS";
|
|
|
|
accounts = {
|
|
|
|
SYS.users = [ {
|
|
|
|
user = "admin";
|
|
|
|
password = "$2y$10$TWoKGC7/VKQRnIK163akm.0JRdhSA00lMMVn8fa1tPyKBgbED0BL2";
|
|
|
|
} ];
|
|
|
|
default = {
|
|
|
|
jetstream = "enabled";
|
|
|
|
users = [
|
|
|
|
{
|
|
|
|
user = "yorick";
|
|
|
|
password = "$2y$10$EtQh8YX0I91X774PhDxhKOSGSc0IAAvGwZErVKV3z.IfeHTcT1.yy";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
user = "iot";
|
|
|
|
password = "$2y$10$.JF/0CQ1PYCFPITsSXGj..k5v60rZvDc.LWCIDhZpoc93NyyIa5wS";
|
|
|
|
allowed_connection_types = [ "MQTT" ];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
user = "zigbee2mqtt";
|
|
|
|
password = "$2a$11$CC5NVYiTUeoa4A4w94NFMORO/0jhMR60JWgPUgjct8c2vg29wwIGG";
|
|
|
|
allowed_connection_types = [ "MQTT" ];
|
|
|
|
}
|
2024-01-02 12:07:34 +01:00
|
|
|
{
|
|
|
|
user = "marvin-tracker";
|
|
|
|
password = "$2a$11$V9G2gT52obCsDOBwibHfMudnibwP/s3NwUjwvtsnlHfkn5kJHOOEe";
|
|
|
|
allowed_connection_types = [ "MQTT" ];
|
|
|
|
}
|
2024-01-02 11:42:04 +01:00
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2024-01-02 12:07:34 +01:00
|
|
|
services.yorick.marvin-tracker = {
|
|
|
|
enable = true;
|
|
|
|
secretFile = config.age.secrets.marvin-tracker.path;
|
|
|
|
};
|
2018-03-11 18:28:25 +01:00
|
|
|
}
|